systemd.service: Tighten hardening options.

author: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 18:15:10 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 20:25:40 +0100
commit: 2147ff3bd9091b88960e2243b2d7d76d03cadc89 (patch)
tree: fa970590ab58a1d42913deccbca3adef05eaae83 /roles/IMAP
parent: 2845af5f76ad3be9c0a1f69ab478ff5a08346a4c (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
index 7e790e3..d20f9c2 100644
--- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
+++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
@@ -1,22 +1,27 @@
 [Unit]
 Description=Dovecot authentication proxy
 After=dovecot.target
 Requires=dovecot-auth-proxy.socket
 
 [Service]
 User=vmail
 Group=vmail
 StandardInput=null
 SyslogFacility=mail
 ExecStart=/usr/local/bin/dovecot-auth-proxy.pl
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectSystem=strict
 ProtectHome=read-only
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
 RestrictAddressFamilies=
 
 [Install]
 WantedBy=multi-user.target
 Also=postfix-sender-login.socket
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 18:15:10 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 20:25:40 +0100
commit	2147ff3bd9091b88960e2243b2d7d76d03cadc89 (patch)
tree	fa970590ab58a1d42913deccbca3adef05eaae83 /roles/IMAP
parent	2845af5f76ad3be9c0a1f69ab478ff5a08346a4c (diff)